monitoring - All Articles - CISO Platform2024-03-29T08:57:28Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/monitoring6 Free Log Management Toolshttps://www.cisoplatform.com/profiles/blogs/6-free-log-management-tools2016-08-01T12:30:00.000Z2016-08-01T12:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p>Log management is one of the primary requirements for building an enterprise class SOC. In security, Log analysis is often the first step in incident forensics. Operating systems such as windows, Unix, Linux and other network devices such as routers, firewalls etc. offer native log management capabilities but are not sufficient for organizations because of a variety of reasons. First, due to storage constraint older logs are overwritten by the most recent logs. Second, log collection for network devices, OSs are not reliable and are often not in the same format rendering analysis difficult. Another challenge is that the logs are distributed across devices and are not centrally stored or managed.</p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/6-free-log-management-tools" target="_blank"><img width="750" src="{{#staticFileLink}}8669808064,original{{/staticFileLink}}" class="align-full" alt="8669808064?profile=original" /></a></p>
<p style="text-align:right;"><span class="font-size-1">image courtesy: <a href="https://www.flickr.com/photos/purpleslog/2870445260">https://www.flickr.com/photos/purpleslog/2870445260</a></span></p>
<p></p>
<p></p>
<p></p>
<p><strong><span class="font-size-6">Some of the benefits of log management are :</span></strong></p>
<ul>
<li>Logs often provide the first hand evidence in cyber forensics and are often invaluable in investigating security incidents and auditing. Log management help make forensics and investigation much easier.</li>
<li>Logs feeds SIEM solution for continuous security monitoring. A better log management speeds-ups the correlation engine and provide better insights by reducing noise in analysis results.</li>
<li>Log management helps managing compliance requirements as they require organizations to index log events for easy accessibility and search capability</li>
<li>Log management can help optimize the storage requirements by discarding unimportant logs</li>
</ul>
<p></p>
<p>( <span id="docs-internal-guid-3db729e7-4617-45bb-8586-d9aa7a6bb748"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-siem-vendors"><span>Checklist To Evaluate SIEM Vendors</span></a></span> )</p>
<p></p>
<p></p>
<p></p>
<p>Below is the list of couple of open-source Log Management tools which provide the capability of reliable log collection, Log normalization and relaying of Log messages to a central location for their log time storage.</p>
<p></p>
<p><span class="font-size-4">1. <a href="https://syslog-ng.org/#_ga=1.33680484.438722512.1468905382">Syslog-ng</a></span></p>
<p>syslog-ng allows you to flexibly collect, parse, classify, and correlate logs from across your infrastructure and store or route them to log analysis tools</p>
<p></p>
<p><span class="font-size-4">2. <a href="http://www.rsyslog.com/">rsyslog</a></span></p>
<p><b>Rsyslog</b> is an open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IPnetwork. It implements the basic syslog protocol, extends it with content-based filtering, rich filtering capabilities, flexible configuration options and adds features such as using TCP for transport.</p>
<p></p>
<p><span class="font-size-4">3. <a href="https://github.com/log2timeline/plaso/wiki">Log2timeline</a></span></p>
<p>Log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. Plaso is a Python-based backend engine for the tool log2timeline.</p>
<p></p>
<p></p>
<p><span class="font-size-4">4.<a href="http://www.logalyze.com/">Logalyze</a></span></p>
<p>LOGalyze is an open source, centralized log management and network monitoring software. If you would like to handle all of your log data in one place, LOGalyze is the right choice. It supports Linux/Unix servers, network devices, Windows hosts. It provides real-time event detection and extensive search capabilities.</p>
<p></p>
<p></p>
<p><span class="font-size-4">5.<a href="https://www.graylog.org/">Gray Log</a></span></p>
<p>Graylog2 collects and aggregates events from a multitude of sources and presents your data in a streamlined, simplified interface where you can drill down to important metrics, identify key relationships, generate powerful data visualizations and derive actionable insights.</p>
<p></p>
<p></p>
<p><span class="font-size-4">6. <a href="http://www.fluentd.org/">Fluentd</a></span></p>
<p>Fluentd is an open source data collector, which lets you unify the data collection and consumption for a better use and understanding of data.</p>
<p></p>
<p>( Read More: <a href="http://www.cisoplatform.com/profiles/blogs/top-10-incident-response-siem-talks-from-rsa-conference-2016">Top 10 'Incident Response & SIEM' talks from RSA Conference 2016 (USA)</a> )</p>
<p></p>
<p></p>
<p></p>
<p><b>Pre-Register for SACON International 2017. Click on the image below to pre-register</b></p>
<p></p>
<p><a href="http://sacon.io" target="_blank"><img width="620" src="{{#staticFileLink}}8669802070,original{{/staticFileLink}}" class="align-center" alt="8669802070?profile=original" /></a></p>
<p></p>
<p></p></div>Don’t boil the ocean. Start with that.https://www.cisoplatform.com/profiles/blogs/don-t-boil-the-ocean-start-with-that2019-08-22T02:00:00.000Z2019-08-22T02:00:00.000ZDrew Brownhttps://www.cisoplatform.com/members/DrewBrown<div><p><em>Don’t boil the ocean. Start with that.</em></p><p>Before I dipped my toes into security I did a stint as an application administrator. I was responsible for managing system and application monitoring. More performance and capacity monitoring than anything but there is a clear overlap in tools that capture logs and generate alerts based on thresholds, e.g. an IBM Tivoli monitoring, HP EMS, or Microsoft SCOM and a SIEM.</p><p>My employer had just one of those tools at the time I started and then management wanted to implement a second, though I cannot explain the why on that decision. I digress.</p><p>I recall specific conversations about the data the tool(s) were gathering. The console was overwhelmingly full with just a few devices being monitored. Rules and response, even rules for response were necessary. I might still have the email from a co-worker who asked if he was to “crawl through the phone to choke a user out if they fat fingered their password again.” At least it was an entertaining time.</p><p>I happened to search for “best practices” and tips for setting up a SIEM, after all the SIEM is an extension of good monitoring. I found 5 and 7 step lists from a few vendors and then from SANS a pretty comprehensive and helpful list. <br /> 1. log all relevant events<br /> 2. define the scope of coverage<br /> 3. define what events constitute a threat<br /> 4. detail what should be done about them in what time frame<br /> 5. document when they occurred and what was done<br /> 6. document where both the events and follow up records can be found<br /> 7. document how long events and tickets are kept</p><p><em><strong>What I’m going to recommend is counter to what the vendors suggested. Both had items either the 3rd for 4th priority, to collect as much data points as possible. I strongly disagree with this at the outset.</strong></em></p><p>The problem with monitoring tools is noise. Too much noise and we stop listening. Too many false positives and the real positives are ignored. Too much noise and critical events are overlooked. Don’t believe me? Look at Target, or <a href="https://www.cisoplatform.com/profiles/blogs/the-legal-case-for-capital-one-aws-security-breach-a-short-synops" target="_blank">Capitol One</a> or any other major breach where the breached entity had some type of monitoring in place:</p><p><br /> 1. Establish Requirements First /Identify Compliance Requirements<br /> 2. Have a Comprehensive Incident Response Plan (IRP) <br /> a.Detail what should be done about them, by whom, and in what time frame<br /> 3. Determine Scope <br /> a.Monitor Access to Critical Resources<br /> b.Defend Your Network Boundaries<br /> 4. Begin with a Pilot Run <br /> a.Collect only what you need NOT: As Much data, as Possible<br /> 5. Review and modify correlation rules<br /> 6. Define what events constitute a threat <br /> a.Know your entity’s risks and appetite for risk<br /> 7. Walk through events manually before automation <br /> a.Align this process with your IRP<br /> 8. Continuously Refine Your SIEM Deployment <br /> a.With success in one event type, move to another event type<br /> b.Leverage synthetic transactions, crawlers and other tools to simulate events and test your workflow</p></div>